Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1895053: Mount CA trust store in builds #218

Merged
merged 2 commits into from Feb 25, 2021
Merged

Bug 1895053: Mount CA trust store in builds #218

merged 2 commits into from Feb 25, 2021

Conversation

adambkaplan
Copy link
Contributor

Add the build container's CA trust store as a transient mount for buildah
if the BUILD_MOUNT_ETC_PKI_CATRUST environment variable is set to a
"true" value.

@openshift-ci-robot
Copy link
Contributor

@adambkaplan: This pull request references Bugzilla bug 1895053, which is valid. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.8.0) matches configured target release for branch (4.8.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1895053: Mount CA trust store in builds

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Feb 10, 2021
@adambkaplan adambkaplan changed the title Bug 1895053: Mount CA trust store in builds WIP - Bug 1895053: Mount CA trust store in builds Feb 10, 2021
@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 10, 2021
@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 10, 2021
adambkaplan
adambkaplan commented Feb 10, 2021
View reviewed changes
Copy link
Contributor Author

@adambkaplan adambkaplan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm think we shouldn't fail fast if we can't configure the transient mounts. Thoughts?

pkg/build/builder/daemonless.go
st, err := os.Stat("/run/secrets/rhsm")
if err != nil {
return mounts, errors.Wrap(err, "failed to stat /run/secrets/rhsm")
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gabemontero this is a refactor of your original code. However, I think we should not return an error.

From our experience, consuming entitlements in builds is more of a "secondary" use case. The worst case is if a build does a yum install and we don't provide the entitlement keys, the build fails at yum install time. I don't think we should fail all builds because we can't set up the rhsm data.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure I'm good with that @adambkaplan

pkg/build/builder/daemonless.go Outdated
mountCA, err := strconv.ParseBool(mountCAEnv)
if err != nil {
log.V(5).Infof("failed to parse BUILD_MOUNT_ETC_PKI_CATRUST: %v", err)
return mounts, errors.Wrap(err, "failed to parse BUILD_MOUNT_ETC_PKI_CATRUST")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Likewise I don't think we should fail a build if we can't parse this env var or we don't find the trust bundle. If a build depends on this information, it will eventually fail.

adambkaplan
adambkaplan commented Feb 10, 2021
View reviewed changes
pkg/build/builder/daemonless.go
}

log.V(0).Infof("Adding transient ro bind mount for /etc/pki/ca-trust")
mounts = append(mounts, "/etc/pki/ca-trust:/etc/pki/ca-trust:ro")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nalind is this the right setting for a read-only mount? What do the nodev,noexec,nosuid arguments do for the rhsm mount?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that's the right flag for making the bind read-only. The nodev,noexec,nosuid arguments request that in the new mountpoint, device nodes not be accessible, binaries not be executable despite the execute bit on their permissions, and that the setuid/setgid bit and file capabilities not be honored.

gabemontero
gabemontero reviewed Feb 10, 2021
View reviewed changes
pkg/build/builder/daemonless.go Outdated

mountCA, err := strconv.ParseBool(mountCAEnv)
if err != nil {
log.V(5).Infof("failed to parse BUILD_MOUNT_ETC_PKI_CATRUST: %v", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with not failing on the parse error vs. later on @adambkaplan but if so I would prefer our clue/log here is not V(5) .... IMO a V(0) bread crumb is appropriate

gabemontero
gabemontero reviewed Feb 10, 2021
View reviewed changes
pkg/build/builder/daemonless.go Outdated

st, err := os.Stat("/etc/pki/ca-trust")
if err != nil {
log.V(5).Infof("failed to stat /etc/pki/ca-trust: %v", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am fine with this staying v(5) .... presumably it is not as susceptible to user error

@openshift-ci-robot openshift-ci-robot mentioned this pull request Feb 22, 2021
Merged
@adambkaplan
bump(github.com/openshift/api):
d9ca6fd 
- Add MountTrustedCA field to builds. This ensures we serialize the build
  JSON correctly.
@adambkaplan
Bug 1895053: Mount CA trust store in builds
1ece4f9 
- Add the build container's CA trust store as a transient mount for buildah
  if the `BUILD_MOUNT_ETC_PKI_CATRUST` environment variable is set to a
  "true" value.
- Log "warning" that RHEL entitlements aren't available if we can't copy
  /run/secrets/rhsm data.
- Log "warning" that custom PKI trust bundles aren't available if we
  can't find /etc/pki/ca-trust.
@adambkaplan adambkaplan changed the title WIP - Bug 1895053: Mount CA trust store in builds Bug 1895053: Mount CA trust store in builds Feb 23, 2021
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 23, 2021
@adambkaplan adambkaplan mentioned this pull request Feb 23, 2021
Merged
@adambkaplan
Copy link
Contributor Author

@gabemontero this is ready for final review.

@adambkaplan
Copy link
Contributor Author

/retest

Builds hit known kubelet flake.

@gabemontero
Copy link
Contributor

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 24, 2021
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adambkaplan, gabemontero

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

1 similar comment
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit 1e71f32 into openshift:master Feb 25, 2021
@openshift-ci-robot
Copy link
Contributor

@adambkaplan: Some pull requests linked via external trackers have merged:

The following pull requests linked via external trackers have not merged:

These pull request must merge or be unlinked from the Bugzilla bug in order for it to move to the next state. Once unlinked, request a bug refresh with /bugzilla refresh.

Bugzilla bug 1895053 has not been moved to the MODIFIED state.

In response to this:

Bug 1895053: Mount CA trust store in builds

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot mentioned this pull request Mar 27, 2021
Merged
@openshift-ci-robot openshift-ci-robot mentioned this pull request Apr 18, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nalind nalind nalind left review comments

@gabemontero gabemontero gabemontero left review comments

@coreydaley coreydaley Awaiting requested review from coreydaley

Assignees

@gabemontero gabemontero

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@adambkaplan @openshift-ci-robot @gabemontero @openshift-bot @nalind @openshift-merge-robot